Martin Emms
Leo Freitas
ABSTRACT
In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to ∈999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a "rogue merchant" who then uses the transaction data to take money from the victim's account. In reality, the criminals would choose a value between ∈100 and ∈200, which is low enough to be within the victim's balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.
- Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S., Anderson, R. 2014. Chip and Skim: cloning EMV cards with the pre-play attack. 35th IEEE Symposium on Security and Privacy. http://arxiv.org/pdf/1209.2531.pdf Google Scholar
Digital Library
- Cooper, D. and Barner, J. 2008. Tokeneer ID station EAL5 demonstrator. Technical Report S.P1229.81.1, Altran Praxis.Google Scholar
- Drimer, S. and Murdoch, S.J. 2007. Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks. 16th USENIX Security Symposium, Boston, MA, USA. http://www.cl.cam.ac.uk/~sjm217/papers/usenix07bounding.pdf Google ScholarDigital Library
- EMVCo. 2011. EMV Integrated Circuit Card Specifications for Payment Systems -- Version 4.3. http://www.emvco.com/specifications.aspx?id=223 {Accessed: 22 August 2014}Google Scholar
- EMVCo. 2014. EMV Contactless Specifications for Payment Systems -- Version 2.4. http://www.emvco.com/specifications.aspx?id=21 {Accessed: 22 August 2014}Google Scholar
- Francis, L., Hancke, G., Mayes, K., Markantonakis, K. 2012. Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones. The 2012 Workshop on RFID and IoT Security (RFIDsec 2012 Asia), Nai-Wei, L., Yingjiu, L. (editors). Vol. 8, IOS Press (Cryptology and Information Security Series), pp. 21--32. http://eprint.iacr.org/2011/618.pdfGoogle Scholar
- Freitas, L. and Emms, M. 2014. Formal specification of EMV protocol. School of Computing Science Technical Report Series 1429, Newcastle University.Google Scholar
- International Organization for Standardization. 1995. ISO 8583:1995 -- Financial transaction card originated messages -- Interchange message specifications.Google Scholar
- Murdoch, S.J., Drimer, S., Anderson, R., Bond, M. 2010. Chip and PIN is Broken. IEEE Symposium on Security and Privacy, pp. 433--446. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5504801&isnumber=5504699 Google ScholarDigital Library
- Reason, J. 1990. Human Error. Cambridge University Press.Google Scholar
- Smans, J., Jacobs, B., and Piessens, F. 2013. VeriFast for Java: A Tutorial. In: Clarke, D., Noble, J., Wrigstad, T. (eds.) Aliasing in Object-Oriented Programming. LNCS, vol. 7850, pp. 407--442. Springer, Heidelberg. Google ScholarDigital Library
- The UK Cards Association Limited. 2013. Standard 70 -- Card Acceptor to Acquirer Interface Standards.Google Scholar
- Woodcock, J. and Davies, J. 1998. Using Z. Prentice Hall.Google Scholar
Index Terms
- Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN
Recommendations
Enhancing EMV Online PIN Verification
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01EMV (Europay MasterCard Visa) is a globally accepted standard for chip card-based payment transactions, which benefits from the intrinsic security characteristics of chip cards. The EMV specification is relatively flexible and can be deployed in both ...
Enhancing EMV Online PIN Verification
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01EMV (Europay MasterCard Visa) is a globally accepted standard for chip card-based payment transactions, which benefits from the intrinsic security characteristics of chip cards. The EMV specification is relatively flexible and can be deployed in both ...
Cloning credit cards: a combined pre-play and downgrade attack on EMV contactless
WOOT'13: Proceedings of the 7th USENIX conference on Offensive TechnologiesRecent roll-outs of contactless payment infrastructures-particularly in Austria and Germany - have raised concerns about the security of contactless payment cards and Near Field Communication (NFC). There are well-known attack scenarios like relay ...
Comments